Ok, thanks for the info. However, I got few more quesitons. Can packet filtering be considered as an IDS system? If not, can it be configured into one? What is the difference in the way they filter? Which one is more reliable?

IDS is intrusion detection, and if your firewall logs are being looked through and you get alerted to certain traffic it's blocked or allowed, then it's an IDS. If you don't have the log's checked with a program or manually, then it's not much of any acronym. An IPS, intrusion PREVENTION system is one that blocks. Detection alerts you to trouble, or the lack there of, but doesn't act. IDS's like Snort, have plug-in's or add on's like SnortSAM that will see the alert, and then issue commands to your firewall to block that traffic for a specified time, seconds to forever depening on your settings.

IDS/IPS systems are both just as vlunerable to false-positives and false negitives, it depends on the rule that is written. Snort rules are community rule, eveyone across the globe contributes and writes rules for snort, some write better rules than others, some rules that are well written develop false-postives later down the road.http://www.snort.org/http://www.snort.org/docs/ (there are lots of links to doc's that apply to other IDS's aswell, like the IDS evasion docs)http://www.snortsam.net/

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

> If not, can it be configured into one?
yes, no, depends
configuerung iptables with logging, and the reading the logs might be considered an IDS
:)
> What is the difference in the way they filter?
IDS do *not* filter

> Which one is more reliable?
both, none, depends
I'd vote for a firewall ...

A packet filtering firewall apply rules to connections - e.g. anyone can connect to server X on port 80. But they do not have any intelligence (in general although many firewalls do now allow for some application intelligence) about what is sent to that port. So although you may only be able to connect to the web server on port 80 you can send any data you like to that port - hence it is still vulnerable to attack.

An IPS / IDS device will use a combination of filters and / or heuristics to apply intelligence to what traffic is actually allowed. So continuing the above example if you put an IPS device behind the firewall this would then monitor the port 80 traffic to the web server and either alert or block anything suspicious (e.g worms etc) - thus offering further protection for your webserver.

Personally (I can't comment specifically on snort) I prefer in-line IPS devices as they can actually block traffic rather than relying on either changing firewall rules or sending resets.

As both IDS / IPS devices suffer from false positives so it is usual to configure them to monitor / alert only initially (especially IPS) in order to get a sensible baseline before allowing them to perform further actions.

Some vendors are now offering devices that offer both firewall and IDS functionality in one box. The next stage of IDS / IPS is building it into core switches thus allowing entire internal networks to be protected by one device - although these are currently in their infancy, and rather expensive.

IDS / IPS devices also offer value used on internal networks - as well as helping prevent the spread of malware, they can also spot many configuration errors such as blank sa passwords, use of banned protocols(e.g. we don't allow ftp or telnet on our network).

a packet filtering system is to be used at the frontline to defend your territory. it actually executes your defence plan. it recognizes the incoming people (the incoming packets) to determine your partners (legitimate requests) or your enemies (malicious requests), according to the rules defined in your defence plan. then do actions: for friends, let them in. for enemies, deport them (refuse the requests) or kill them (drop the packets). the actions depend on your defence plan (such as, to explicitly fight some or to implicitly confuse some).

a logging system is used to completely or partly record what actually have happened or is happening at the frontline, in detail or in summary, depending the battle types and your enemies. e.g. who has been allowed in as friends (might be enemies actually if your defence plan has defect or is wrong), who has been killed or refused, who was out. anything possibly used for analysis should be recorded.

an IDS is used to monitor the latest changes in the logs and determine any abnormal behaviors, based on some patterns or experience. 1) it needs more computing resources and consume more time 2) its outcomes are not actions (allow in or not) most are are suggestions. some IDSs may give commands to the packet filtering system at the frontline, to apply/change/stop a rule/policy, only if the conclusion of IDS is very sure.

humans should involve in the defence system and have the final decisions. IDS is just a tool to aid the involved people. the commander is a man, the IDS is the commander's intelligent department. the commander reviews the everything, and modifies the defence plan if necessary. then the frontline executes it.

briefly, the concepts are different things though related. they need to be connected to work together, in a closed loop: plan, do, check, action (PDCA).

Featured Post

Will your organization be ransomware's next victim? The good news is that these attacks are predicable and therefore preventable. Learn more about how you can stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…